Blue Team-System Live Analysis [Part 11]- Windows: User Account Forensics- NTUSER.DAT Rules, Tools, Structure, and Dirty Hives!

NTUSER.DAT, netuser.dat.LOG1 and netuser.dat.LOG2 extracted from a test system using FTK Imager
  • The Challange
  • The Solution
  • Primary sequence number: This number incremented by 1 when the write operation on NTUSER.DAT begins.
  • Secondary sequence number: This number incremented by 1 when the write operation on NTUSER.DAT ends.
  • If the Primary sequence number !=Secondary sequence number: the NTUSER.DAT is not updated (Dirty Hive) and must be aggregated with netuser.dat.LOG1 and netuser.dat.LOG2.
Dirty NTUSER.DAT opened with Hex Editor.
  • If the Primary sequence number ==Secondary sequence number: the NTUSER.DAT is updated (Clean Hive) and contains the complete actual data.
Clean NTUSER.DAT opened with Hex Editor.
Reg Commands for NTUSER.dat Analysis
  • Load the NTUSER.DAT
reg load HKLM\sechub d:\sechub\NTUSER.dat
NTUSER.dat Loaded into HKLM\sechub
  • Retrieve Information
reg query HKLM\sechub
and
reg query HKEY_LOCAL_MACHINE\sechub\Environment
Retrieve the Information from Loaded NTUSER.DAT using Reg Query Command
  • Unload the NTUSER.DAT
Unload NTUSER.dat from Registry
Retrieve the Information from Loaded NTUSER.DAT using RegRipper
The RegRipper Report Sample
Registry Explorer and RECmd
Load NTUSER.DAT Hive
Dirty Hive Warning
Replay Transaction Logs
Select ntuser.dat.LOG1 and ntuser.dat.LOG2
Save the Updated Hive
Save the Updated Hive File
Load the Updated Hive
Load the Old (Dirty) hive
The Dirty and Clean NTUSER.DAT Loaded in Registry Explorer

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store